Revoke All Other Sessions

Revoke every session except the one making the request. Use this for "Sign out all other devices" UI.

POST /api/v1/auth/sessions/revoke-all — 🔑 User-auth (Bearer JWT) · Rate limit: 5 req / hour

Revokes all sessions for the authenticated user EXCEPT the current one. Pair with GET /auth/sessions to power "Sign out all other devices" buttons in account settings.

The current session (the one matching the requesting biore_refresh cookie) stays alive. Other devices' refresh tokens become invalid immediately; their access tokens expire within ~15 min.

Request

Headers

Header	Value	Notes
`Authorization`	`Bearer <accessToken>`	Required
`Cookie: biore_refresh=...`	(auto)	Used to identify the current session (kept alive)

No body, no path/query params.

Response

`200 OK` — empty body

{ "success": true }

Errors

HTTP	`code` / `i18nKey`	Reason
`401`	(no JWT or invalid)	Not authenticated
`429`	(throttle)	Rate limit exceeded (5 req/hour — strict; this is a destructive action)

Side effects

Hash the current refresh token (SHA-256) → match against Session.refreshTokenHash to identify the current session.
Update all Session rows where userId = current user AND id != current session id AND revokedAt IS NULL: set revokedAt = now().
Audit log: auth.sessions.revoke_all.success (with count of sessions revoked).

Code samples

curl -X POST https://api.bio.re/api/v1/auth/sessions/revoke-all \
  -H 'Authorization: Bearer <accessToken>' \
  -b cookies.txt

async function revokeAllSessions(accessToken: string): Promise<void> {
  const res = await fetch('https://api.bio.re/api/v1/auth/sessions/revoke-all', {
    method: 'POST',
    headers: { 'Authorization': `Bearer ${accessToken}` },
    credentials: 'include',
  });
  const json = await res.json();
  if (!res.ok || !json.success) {
    throw Object.assign(new Error(json?.error?.message ?? 'Revoke-all failed'), {
      code: json?.error?.code,
    });
  }
}

import { useMutation, useQueryClient } from '@tanstack/react-query';
import { sessionKeys } from './use-sessions';

export function useRevokeAllSessions() {
  const qc = useQueryClient();
  return useMutation({
    mutationFn: async () => {
      const res = await fetch('/api/v1/auth/sessions/revoke-all', {
        method: 'POST',
        credentials: 'include',
        headers: { 'Authorization': `Bearer ${getAccessToken()}` },
      });
      const json = await res.json();
      if (!res.ok || !json.success) {
        throw Object.assign(new Error(json?.error?.message ?? 'Revoke-all failed'), {
          code: json?.error?.code,
        });
      }
    },
    onSuccess: () => {
      qc.invalidateQueries({ queryKey: sessionKeys.all });
      toast.success(t('auth.sessions.revoke_all.success'));
    },
  });
}

Try it

Authorization

bearer

AuthorizationBearer <token>

In: header

Response Body

curl -X POST "https://loading/api/v1/auth/sessions/revoke-all"

Empty

Source

Source	Path	Lines
Controller	`apps/api-core/src/modules/auth/auth.controller.ts`	`282–298` (`revokeAllSessions`)
Service	`apps/api-core/src/modules/auth/auth.service.ts`	`revokeAllSessions()`
Prisma model	`packages/prisma/prisma/schema.prisma`	`Session.refreshTokenHash`, `Session.revokedAt`

Revoke All Other Sessions

200

On this page